HHS requires business partners to comply with new health privacy rules

From a data breach perspective, the rules now require "business associates" of health care entities to also comply with security and privacy regulations, and raises penalties for noncompliance based on the level of negligence to a maximum penalty of $1.5 million per violation.

Business associates and their subcontractors were not subject to the privacy and security rules in the Health Insurance Portability and Accountability Act (HIPAA) when it first became law in 1996. But now, data processing firms, law and accounting firms, IT consultants, cloud computing providers, billing centers and others will need to comply with many of HIPAA's requirements.

The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

According to the rulemaking, the risk assessment has been modified “to focus more objectively on the risk that the protected health information has been compromised. Thus, breach notification is not required under the final rule if a covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant risk of harm to the individual as was provided under the interim final rule.”

The final rule is effective March 26, and covered entities and business associates must comply with the applicable requirements of this final rule by Sept. 23. The HHS is prepared to administer penalties for failure to do so, it said.

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez, in a statement. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

IT blogger Thu Pham noted that business associates have already been in the cross-hairs, legally speaking. Minnesota’s Attorney General is suing Accretive Health over an unencrypted data breach incident that occurred last year when a laptop containing 23,500 patient records was stolen from the business associate’s car. Accretive Health is a licensed debt collector that also provides a patient analysis service for hospitals.

“Part of the reason why they were targeted may be linked to further complexity of the case – not only did Accretive Health suffer from a data breach, but the lawsuit claims they were also accessing and using patient data without the knowledge or consent of patients,” Pham said. “One of their services provided the probability of a patient’s hospital admittance and their calculated potential financial worth to the patient’s healthcare provider, all based on perceived risk factors from their personal health information, according to the claim.”

Another major HIPAA violation case involving a business associate was the Department of Defense’s military healthcare program, in which a contractor employee left an unencrypted laptop in their car and it was stolen. About 4.9 million patients were affected. A lawsuit was filed by a few of the affected patients, and in the claim, they indicated the need for all contractor employees to be properly trained in how to handle personal health information.

“Business associates should prepare for compliance with new HIPAA obligations on September 23, including implementation of a Security Rule compliance program,” they advised. “Covered entities should also begin conforming their HIPAA compliance programs to reflect the new requirements of the Final Rule, including updating and redistributing notices of privacy practices and amending business associate agreements.

The HHS said that the final omnibus rule in general enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law. For instance, patients can ask for a copy of their electronic medical record in an electronic form, and, when individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule also sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius, in a statement. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”